The Sentinel HASP EnvelopewhiTepaperTable of ContentsExecutive Summary.......................................................
Software piracy has become          executive Summaryan issue of great concern           One complex issue faced by softwa...
laborious intense process when compared to the Sentinel HASP Envelope, as it requires carefulSentinel envelope            ...
Enveloping combines encryption      Multiple, Non-obtrusive Calls to the Sentinel haSp hardware Keyand native code obfusca...
link from being broken. This is achieved by supplying multi-layered protection code, which is addedonto the application fi...
is activated after the application loads and runs, clearly this is the activity of a software “pirate”attempting to crack ...
SafeNet Sentinel Software Monetization Solutions                                               SafeNet has more than 25 ye...
Upcoming SlideShare
Loading in...5
×

Sentinel HASP Envelope

833

Published on

This paper examines a variety of counterattacks available as part of the Sentinel
HASP Envelope mechanism for protecting applications from piracy.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
833
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Sentinel HASP Envelope

  1. 1. The Sentinel HASP EnvelopewhiTepaperTable of ContentsExecutive Summary............................................................................................................. 2Evaluating a Hardware-based Protection System ............................................................... 2Sentinel HASP Envelope Protection Method ........................................................................ 2The Sentinel HASP Envelope ............................................................................................... 3 One-Click, Easy-to-Use Solution ................................................................................... 3 Multiple, Non-obtrusive Calls to the Sentinel HASP Hardware Key ................................ 4 Security for Your Intellectual Property and Know-How .................................................. 4 Multi-layered Shield—Security for the Weakest Point ................................................... 4 Anti-Debugging Methods .............................................................................................. 5 How to Tell Friend from Foe? .......................................................................................... 5 Vary Behavior when Cracking Attempt is Detected......................................................... 6How to Get More out of Your Software Protection ................................................................ 6 License Management .................................................................................................... 6SafeNet Sentinel: An Easier Way to Envelope ...................................................................... 6Conclusion .......................................................................................................................... 6SafeNet Sentinel Software Monetization Solutions ............................................................ 7The Sentinel HASP Envelope Whitepaper 1
  2. 2. Software piracy has become executive Summaryan issue of great concern One complex issue faced by software publishers in today’s computing environment is the preventionaround the globe because it is of unauthorized use of their software, without creating unnecessary obstacles for customers whowidespread, difficult to identify wish to legitimately purchase and use it. There is a direct correlation between the adoption of newits real source and even harder technologies and the amount of unlicensed and hacked software copies. The internet has greatlyto prevent and negate. Too often affected this phenomenon as it provides an open platform which eliminates international barriers,software publishers are faced language obstacles, and other constraints, thus making information easily available.with the proliferation of illegalcopies of their applications Software piracy, including various types of either software or hardware licenses, or unfulfilledacross the Internet, losing upgrades, denies deserved revenue and harms existing and paying customers, who ultimatelyrevenue as a result bear the cost of illegal product use. Piracy limits the competitive edge, leads to higher-priced, less advanced products and ultimately harms the entire process. Software piracy becomes an issue of great concern around the globe because it is widespread, difficult to identify its real source and even harder to prevent and negate. Too often software publishers are faced with the proliferation of illegal copies of their applications across the Internet, losing revenue as a result. Those that have proactively protected their software using some sort of licensing scheme are not always fully protected against the ever-growing cracking programs that can compromise their application’s security and licensing mechanisms. This paper examines a variety of counterattacks available as part of the Sentinel HASP Envelope mechanism for protecting applications from piracy. evaluating a hardware-based protection System Cracking a hardware-based protection key is a lengthy, expensive, and painstaking process, not always worth the effort for the cracker in terms of potential “Return on Investment” i.e. time spent versus income. Hackers will always prefer the easy route, and will try to avoid long debugging hours and tedious code review in order to generate a fully working generic hack. Hackers will always prefer to create a generic hack – one that applies to all the applications protected by a specific manufacturer’s hardware key. Upon failing such a hack, crackers will turn to the next feasible task of creating an application-specific crack, i.e. one that applies to an individual application only. Of course they will need to repeat this process for every application they wish to crack, but typically this is not an obstacle for those who are determined to profit from the application. Consequently, it is imperative that the software-based security features that augment the hardware-based solution be powerful, and continuously improved. A common misconception amidst the industry is that once a certain application is secured and distributed using some sort of licensing protection scheme it is then completely “bullet- proof” against software piracy forever. It is imperative that the ISV work with the licensing vendor/hardware manufacturer to constantly update and improve the level of security. By incorporating innovative anti-hacking technologies, ISVs can always stay one step ahead of software piracy threats. Sentinel haSp envelope protection Method The system is composed of an encryption-based hardware protection key and supporting software-based protection tools. A Sentinel HASP protected application can load and run only if the hardware key is physically connected to the host computer. There are two protection methods that can be incorporated when securing applications with Sentinel HASP, Sentinel HASP Run-Time API, and the Sentinel HASP Envelope. In order to achieve the highest level of security and protection, it is advised to incorporate both methods. The Sentinel HASP Run-Time API is a set of libraries that are linked to the application envelope, both applied by Sentinel HASP software tools during the application development stage. Protection achieved through the use of the API requires changes to the source code and allows the customization of calls to the Sentinel HASP HL key throughout the application. In order to achieve the highest level of security and protection, careful consideration and planning needs to take place before and during the software development process, incorporating the Sentinel HASP HL from the beginning. Integrating the Sentinel HASP Run-Time API is a manual and more The Sentinel HASP Envelope Whitepaper 2
  3. 3. laborious intense process when compared to the Sentinel HASP Envelope, as it requires carefulSentinel envelope planning throughout the whole development stage. The Envelope is an out-of-the-box (pushFeatures and Benefits button) automatic protection tool, deployed on executable, DLL, OCX or other PE-format files of your application which is carried out once the application is ready and fully tested.• automatic File wraper - Provide robust protection The Sentinel haSp envelope against software reverse The Sentinel HASP Envelope is an automatic file wrapper that provides robust Intellectual engineering through file Property (IP) protection against software reverse engineering through file encryption, code encryption and native code obfuscation and system-level anti-debugging. This ensures that algorithms, trade secrets, and obfuscation professional know-how are embedded in the software is secured against hackers. Software• reconnection of the solutions not only consist of executables and DLLs, but they also contain data files which may be application to the hardware - of even greater value than the software applications themselves. In many cases, these data files The application is now tightly contain highly sensitive information and IP which must be secured against prying eyes and theft. coupled with the Hardware by means of a protection key To protect data files, the Sentinel HASP Envelope and DataHASP tools wrap the application,• Secure communication encrypting and controlling access to the software data files so that only authorized users and channel - Sentinel HASP the hosting software can decrypt and accessit. In seconds, top-notch security and access- eliminates man-in-the-middle control is achieved for the entire product suite at a simple click of a button. The Sentinel HASP attacks by providing a secure ToolBox is a GUI-based utility that helps familiarize you with the Sentinel HASP Run-time API channel for communication and generates code for inclusion in your software source code. between the protected application and the protection The Sentinel HASP Envelope secures your application by adding a protective shield responsible key. The Java Envelope for binding the application to the Sentinel HASP HL key, encrypting the application file, managing uses this ability to prevent and tracking the licensing information stored in the key and introducing numerous piracy a hacker from intercepting obstacles that are not available within the Sentinel HASP API. communications to access data sent back from the When the application is launched, the Envelope sends a query to the Sentinel HASP HL key protection key. validating its physical connection to the host computer. If the dedicated Sentinel HASP HL key• runtime decryption - Because is connected to the computer the Envelope uses the Sentinel HASP HL encryption engine to Sentinel HASP decrypts files decrypt the application file (previously encrypted by the developer). If the Sentinel HASP HL key as they are requested at is not connected, the application halts and cannot execute. runtime rather than loading all the .class files into the virtual Original File Envelope Protection Protected File machine at once, it prevents hackers from rebuilding the entire application Application Encrypted Application One-Click, easy-to-Use Solution Protecting with the Sentinel HASP Envelope is a procedure that takes only a few seconds, assuming that the default protection scheme is chosen. The process is slightly extended if additional steps and measures are taken in order to use some or all of its available options, providing an extremely powerful platform for software vendors who have no access to the application’s source code. For example, resellers and dealers that sell unprotected software can use the basic default Envelope settings in order to protect the products for their local markets— an easy and rapid process. Since custom protection with the Sentinel HASP Run-Time API must be done at early development stages, the Envelope provides a simple out-of-the-box alternative. Once development is finalized, and the application executables are ready, the Sentinel HASP Envelope can be used to quickly apply another important and extremely strong layer of protection without affecting the actual application. The Sentinel HASP Envelope Whitepaper 3
  4. 4. Enveloping combines encryption Multiple, Non-obtrusive Calls to the Sentinel haSp hardware Keyand native code obfuscation to In addition to various tasks performed at runtime, the Envelope is also responsible for checkingprovide the strongest protection that the Sentinel HASP HL key is connected to the computer throughout the software runtime.available today for protecting Since the Envelope is employed on a compiled file, calls to the Sentinel HASP HL key are notIntellectual Property. By using incorporated within the application code; they are executed periodically by the protectionthe Sentinel HASP Envelope code that is added onto the application file. Time intervals of Sentinel HASP HL key checks aresolution, you gain the advantages Envelope parameters that are fully configurable by the developer during the protection phase.of enveloping, without spending Each call to the key employs the Sentinel HASP HL hardware-based encryption engine, sendingthe time and effort to develop a an encrypted string. The returned decrypted string is analyzed to confirm the presence of thesolution from scratch. key. Both the encryption and decryption mechanisms employ the AES 128-bit encryption engine making sure that the two-way communication channel is fully secured. Security for Your intellectual property and Know-how Time and resources spent in developing your product is reflected in its quality and ability to answer market needs and therefore should be well hidden from prying eyes. The Sentinel HASP Envelope’s encryption specific capability is one of its most important qualities allowing the encryption of parts or the entire application file, ensuring that no prying eyes can peek into your code. This is most useful against cases where one may want to change your code in order to adapt the application to their personal benefit. Moreover, this is of true value in preventing your competitors from learning your professional secrets and know-how. The Sentinel HASP Envelope allows the prevention of industrial espionage thus maintaining your competitive advantage. By automatically wrapping files and using code obfuscation, the Envelope provides robust anti- reverse engineering encryption protecting valuable algorithms and trade secrets. The Sentinel HASP Envelope performs sophisticated encryption to hide your source code. Each file protected with the Envelope is encrypted using a different random seed, resulting in very different files after protection, even if the originals were identical. The application file is divided into multiple blocks, which are scalable and can be predetermined by developers during the protection session. Each block is encrypted using 128-bit AES based encryption engine and different arbitrary seeds. Multi-layered Shield—Security for the weakest point The weakest point in an application protected with any wrapping mechanism is the seam between the application file and the externally added protection code. This is the point which, once annulled, will disconnect the link to the hardware key, leaving the application completely unprotected. Consequently, this is the point at which most attackers will attempt to strike. Hackers will study the protected file analyzing the protection code and how it is linked to the attached hardware key. Once they understand the code and recognize its location, they can then operate in one of the following manners: • Break the protection link for the specific application file – Specific hack • Break the protection link for all other files protected by the same mechanism if the exact same method appears in all of them repeatedly – Generic hack Envelope Original Application File Protection Code The seam is the weakest point It is therefore essential that the seam point between the protected file and the added protection code be ambiguous and untraceable, presenting a long and tiresome search procedure for anyone trying to break the protection. One of the strongest features of the Sentinel HASP Envelope is in its ability to protect the seam point and present numerous obstacles that prevent the protection The Sentinel HASP Envelope Whitepaper 4
  5. 5. link from being broken. This is achieved by supplying multi-layered protection code, which is addedonto the application file dynamically during the protection process. These layers are pieces ofcode specially designed to fit one-after-the-other like train cars. In each protection session, theEnvelope ensures that the various layers constructing the entire code are organized in a differentsequence when added to the original application file – as can be seen below. Original Application File Envelope Protection CodeThe dynamic arrangement of the layers differs in each and every single Envelope protectionsession ensuring that every protected file is unique. There is no resemblance between protectedfiles, even if the original files are completely identical. The transition from the last instructionin the Envelope code to the first instruction in the application code differs between protectedapplications. For each application, the original code starts at a different place making theEnvelope application-seam almost impossible to trace. Learning and understanding the differentlayers and their layout within the protected file implies nothing about the layout in the samefile protected in another Envelope session. To make it even more difficult to break, the Envelopenot only arranges the layers differently, it also selects a different number of layers for eachfile it protects. Furthermore, the layers are encrypted, each one in a different way. And, duringapplication runtime, each layer is responsible for decrypting the next layer in the sequence usinga random encryption key.Confused? There’s more! The code in each layer is obscured, by using dummy opcodes, whichare inserted between valid code instructions. This severely obstructs the ability to investigatethe code and ensures that disassemblers cannot analyze the protection mechanism or thedisassembled code.anti-Debugging MethodsAn additional, extremely powerful feature of the Sentinel HASP HL Envelope is its debuggerdetection mechanism, which is constantly on the prowl for active debuggers. By sendingmisleading commands and false information to “attract attention,” the Envelope misleads anddistracts debuggers. As a result, debuggers in action are disclosed and handled by the Envelopeaccordingly allowing distinction between friend and foe.how to Tell Friend from Foe?Normally, debuggers are used by software developers to detect bugs and trace problems duringthe development process of their application. However, people trying to gain illegal access toyour software use the same debuggers to detect and trace the implanted protection code withthe ultimate goal of changing, disabling, or removing it altogether.Since both groups use the same debugging tools, the Envelope must have the ability todistinguish between debugging activities of an innocent developer and that of someoneintending to do harm. This is achieved by displaying a message that a debugger has beendetected and preventing the protected application from loading. A developer will turn off thedebugger at this stage to enable the application to load properly and run. However, if a debuggerThe Sentinel HASP Envelope Whitepaper 5
  6. 6. is activated after the application loads and runs, clearly this is the activity of a software “pirate”attempting to crack the software, and thus the application halts.Vary Behavior when Cracking attempt is DetectedAnother technique used by the Sentinel HASP Envelope to fight debuggers is what we call“behavior alteration.” Sentinel HASP HL keys employ a sophisticated code design that takesadvantage of the fact that the operating system and the debugger execute applicationsdifferently. When a cracking attempt is detected (for example, through using a checksum), thereactive behavior of the software is delayed, thus breaking the logical connection between“cause” and “effect.” Delayed reaction confuses the software cracker by obscuring the truelogical link between the cracking attempt and the negative reaction of the software to thatspecific attempt. Behavior such as impairing program functionality when a cracking attempt isdetected can be very effective. Additional behaviors could include causing the program to crash,overwriting data files, or deliberately causing the program to become inaccurate, causing theprogram to become altogether undependable.how to Get More out of Your Software protectionIn addition to protecting your software, the Sentinel HASP HL key system invokes an advancedautomatic license generator that allows the definition of various licensing terms specificallytailored to your applications allowing you to comply with your ever-changing business model.License ManagementInnovative selling models such as rental, subscription, demo, concurrent users, pay-per-use andtry-before-you-buy are all achievable with the Sentinel HASP HL key licensing system. Theseare implemented by storing license parameters in the Sentinel HASP HL key’s memory such ascounters, expiry dates and number of concurrent users. Once the protected application reachesthe end-user, the Sentinel HASP Envelope takes control and acts as the License Managerresponsible for executing the application in accordance with the predetermined predefinedlicensing terms. It truly is automatic; you only need to trigger the licensing mechanism bychecking a flag when protecting your application with the Envelope.SafeNet Sentinel: an easier way to envelopeThe Sentinel HASP Envelope is an automatic file wrapper that provides robust protection againstsoftware reverse engineering through file encryption and native code obfuscation. This ensuresthat algorithms, trade secrets, and professional know-how embedded in software are securedagainst hackers. Sentinel HASP eliminates man-in-the-middle attacks by providing a securechannel for communication between the protected application and the protection key using128-bit AES encryption. The Envelope uses this ability to prevent a hacker from interceptingcommunications data sent to and from the Sentinel HASP HL protection key.ConclusionWhile hackers constantly improve their hacking techniques, so does technology and what itoffers in terms of fighting piracy. Commercial disassemblers further simplify this process forhackers, and while the Envelope provides very strong out-of-the-box security, the includedcapabilities are sometimes insufficient to fully prevent attacks. Techniques such as encryptionand obfuscation are commonly used to slow attackers, but still leave points of vulnerability.Enveloping combines encryption and native code obfuscation to provide the strongest protectionto date enabling the protection of Intellectual Property. By using the Sentinel HASP Envelopesolution, you gain the advantages of enveloping without spending the time and effort to developa solution from scratch.The Sentinel HASP Envelope Whitepaper 6
  7. 7. SafeNet Sentinel Software Monetization Solutions SafeNet has more than 25 years of experience in delivering innovative and reliable software licensing and entitlement management solutions to software and technology vendors worldwide. Easy to integrate and use, innovative, and feature-focused, the company’s family of Sentinel® Software Monetization Solutions are designed to meet the unique license enablement, enforcement, and management requirements of any organization, regardless of size, technical requirements or organizational structure. Only with SafeNet are clients able to address all of their anti-piracy, IP protection, license enablement, and license management challenges while increasing overall profitability, improving internal operations, maintaining competitive positioning, and enhancing relationships with their customers and end users. With a proven history in adapting to new requirements and introducing new technologies to address evolving market conditions, SafeNet’s more than 25,000 customers around the globe know that by choosing Sentinel, they choose the freedom to evolve how they do business today, tomorrow, and beyond. For more information on SafeNet’s complete portfolio of Software Monetization Solutions for installed, embedded, and cloud applications or to download a free evaluation of our award- winning products please visit: www.safenet-inc.com/sentinel To download a FREE Sentinel HASP Developer Kit, visit: http://www3.safenet-inc.com/Special/hasp/safenet-hasp-srm-order/default.asp To learn more on How to Protect Commercial J2EE Software Products against Code Manipulation, Reverse Engineering, and Theft, please visit the link below: www.safenet-inc.com/JavaProtection/Join the ConversationSentinel Onlinewww.Safenet-inc.com/sentinel www.LicensingLive.com Twitter twitter.com/LicensingLive LinkedIn http://bit.ly/LinkedInLicensingLive YouTube Contact Us: For all office locations and contact information, please visit www.safenet-inc.com http://www.youtube.com/user/LicensingLive Follow Us: www.safenet-inc.com/connected ©2011 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. BrightTalk All other product names are trademarks of their respective owners. WP (EN)-02.08.11http://www.brighttalk.com/channel/5572 The Sentinel HASP Envelope Whitepaper 7

×